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1. Introduction 

Ever since the notion of type was introduced in computer science, there have been people claiming that Type 
(the collection of all types) should be a type, and hence be a member of itself. This was intended to permit 
computations yielding types as results, and it seemed to be a straightforward extension of the (otherwise) successful 
principle that, in programming languages, one should be able to operate uniformly on every entity in the domain of 
discourse. 

The notion of Type being a type (written Type:Type) is however in apparent contrast with the requirements of 
static typechecking, philosophically dubious, and often (when formalized) mathematically inconsistent. All the 
existing programming languages with Type:Type have been designed on shaky grounds, and built without much 
investigation of the really fundamental difficulties that have to be resolved. 

Pebble [Burstall 84] is probably the first serious attempt at defining a programming language with a consistent 
type structure based on dependent types and the notion of Type:Type. Pebble's semantics and typechecking strategy 
are defined operationally, and leave open some semantic questions. This paper describes a type-theoretical and 
denotational semantics foundation for Pebble-like languages. 

To make sense of Type:Type it seems necessary to abandon at least two very familiar ideas: first, the notion 
that a type is a set of values and second, the notion that typechecking should be decidable, or, in pragmatic terms, 
that program compilation should always terminate. The problem with the first notion is that we would need a set 
which contains itself as an element - a concept not supported by ordinary set theory. However, we shall see that we 
can use less intuitive meanings of type which are not inconsistent with Type:Type. The second notion is 
questionable in the light of modern requirements of software engineering and data base languages. 

To deal with Type Type it is useful to introduce a relatively unfamiliar idea: the notion of dependent type. This 
allows one to assign useful types to computations operating on types, and hence to perform static typechecking even 
in very dynamic situations where types are being computed. We have to be careful with the meaning of static 
typechecking in this context: although computations do not require run-time typing, typechecking requires arbitrary 
computations; it is still possible to identify a first phase of static (although possibly not terminating) typechecking, 
followed by a second execution phase which does not require any typechecking. 

All the key ideas presented here are fairly well known. Semantic domains where Type:Type holds were defined 
by Scott [Scott 76]. The basic language semantics problems were solved by McCracken [McCracken 79]. Dependent 
types come from intuitionistic type theory [Martin-L6f 80], and their denotational semantics is studied by 
Barendregt and Rezus [Barendregt 83] [Rezus 85]. Relevant languages have been proposed such as Russell [Boehm 
80] and Pebble [Burstall 84]. Relevant formal systems have been widely studied; they include intuitionistic logic and 
type theory [Scott 70] [Martin-L6f 80]; second-order lambda calculus [Girard 72] [Reynolds 74] [Fortune 83] [Bruce 
84]; Automath [de Bruijn 80] [Barendregt 83]; the theory of constructions [Coquand 85a, 85b]); the foundations of 
Russell [Hook 84] [Donahue 85]; and a calculus with Type :Type [Meyer 86]. 

Somehow, a clear connection between these ideas, from the programming language point of view, was missing. 
For example, Girard discovered that a dependent type system where Type:Type holds is inconsistent as a logic 
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system (but it is not inconsistent as a computation system); Meyer and Reinhold concluded that a language where 
Type:Type holds is computationally consistent but pathological and dangerous for programming; Burstall and 
Lampson concluded that such a language is useful and necessary for large-scale programming, but did not 
investigate a denotational semantics; McCracken developed semantic techniques more general than the language she 
applied them to; and Girard and Reynolds developed systems where Type :Type does not hold but which have all 
the complications, from a denotational point of view, of systems where it does holds. 

The purpose of this paper is to present a polymorphic language with Type:Type, where types are values. Such a 
language has a formal type inference system and formal denotational semantics, and can be used to model second- 
order A,-calculus and the basic features of Pebble. The type system is very expressive, possibly the most expressive 
type system known to date, as it embodies the power of intuitionistic type theory. However, this expressive power 
comes at the cost of decidability: there are no typechecking algorithms for the full language. In practice a whole 
range of partial typecheckers can be written, from very simple to very complex; a larger number of correct programs 
will be recognized as legal by more complex typecheckers. 

Languages with the Type:Type property will be useful in areas such as software engineering, to express 
computations involving collections of types and values (like parametric modules and linking), and data bases, to 
express computations parameterized on data schemas. Although there may still be philosophical objections to its use, 
it is now clear that the Type:Type property makes perfect sense and can be incorporated in useful and semantically 
understood tools. 

2. Syntax 

An expression can be a variable X, the constant Type (the "type of all types"), a typed ^.-expression, an 
application, a universal type expression (also called dependent product), a pair, a rip-expression (for taking pairs 
apart), an existential type expression (also called dependent sum), or a (J. -expression for recursion. 

Functions have universal types, which in simple cases degenerate to ordinary function types, and pairs have 
existential types, which degenerate to cartesian product types. Universal types are dependent because the type of the 
result of a function may depend on the value of the argument. Existential types are dependent, as the type of the 
second component of a pair may depend on the value of the first component. 

Instead of having two primitives, fst and snd, for breaking up pairs, we have a single primitive: let X,y = C in d 
(where we always assume X^y). Here C evaluates to a pair whose first and second components are bound to X and y 
in the scope d. 

In the following syntax, I are identifiers and 8 are expressions: 
e ::= 

i I 

Type | 

Xv. e. e | e(e) | Vi: e. e | 



Page 3 



<e, e> | leti,i = eine | 3v. e. e | 
e. e 



There is no distinction between type-expressions and value-expressions: they are both expressions and can be 
intermixed. If we add a constant Int for the integer type (which can be defined, as we shall see), then type- 
expressions and integer-expressions have similar status: they denote disjoint classes of well-typed expressions. This 
is in contrast to most languages, where integer-expressions can be computed, while type-expressions are used only in 
typechecking. 

The recursion operator [I can be used to define both recursive types (in the form |ix: Type, e) and recursive 
values. 

Notation: we shall use any of the letters a, b, C, A, B, C, as metavariables ranging over expressions, and X, y, Z 
as metavariables ranging over identifiers. The upper case letters will normally be used for expressions which are 
type expressions. 

3. Scoping and Substitution 

The scoping of identifiers is determined by the following definition of the set of free variables (FV) of an 
expression: 



Note that in expressions like A,x:x. X the second occurrence of X is not bound by the first one, so that the 
previous expression is equivalent to Ay:x. y (in general, we identify expressions up to renaming of bound variables). 
The following definition of substitution makes this clear, where b{x<-a} is the result of substituting the expression a 
for all the free occurrences of the variable X in the expression b. 



FV(x) 
FV(Type) 
FV(A,x: A. b) 
FV(b(c)) 
FV(Vx: A. B) 
FV(<b,c>) 
FV(let x,y = b in c) 
FV(3x: A. B) 
FV(jix: A. b) 



{x} 



0 



FV(A) u (FV(b)-{x}) 
FV(b) u FV(c) 



FV(A) u (FV(B)-{x}) 
FV(b) u FV(c) 



FV(b) u (FV(c)-{x,y}) 
FV(A) u (FV(B)-{x}) 
FV(A) u (FV(b)-{x}) 



x{x<-a} 
y{x^a} 
Type{x^a} 
(kx: A. b){x<-a} 
(ky: A. b){x^a} 
(b(c)){x^a} 
(Vx: A. B){x<-a} 
(Vy: A. B){x^a} 
<b, c>{x^a} 



= y 

= Type 

= A,x: A{x<-a}. b 

= Ay': A{x<-a}. b{y<-y'}{x<-a} 

= b{x<-a}(c{x«-a}) 

= Vx: A{x<-a}. B 

= Vy': A{x<-a}. B{y<-y'}{x^-a} 

= <b{x<-a}, c{x<-a}> 



a 



y ± x 



y.yVx; y' e FV(b) 



y.yVx; y' e FV(B) 
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(let x,y = b in c){x<-a} 
(let y,x = b in c){x<-a} 
(let y,z = b in c){x<-aj 

(3x: A. B){xf-a} 
(3y: A. B){x<-aj 
(^x: A. b){x<-a} 
(jiy: A. b){x^a} 



let x,y = b{x<-a} in c 
let y,x = b{x<-aj in c 

let y',z' = b{x<-a} in c{y<-y'}{z^-z'}{x^a} 

y,z,y',zVx; y',z' g FV(c) 

3x: A{x^a}. B 

3y': A{x<-a}. B{y^y'}{x^a} y.yVx; y' g FV(B) 

(ax: A{x<-a}. b 

Hy': A{x<-a}. b{y<-y'}{x<-a} y.yVx; y' g FV(b) 



4. Type Assignments 

A type assignment T is a partial function from identifiers to terms, and it can be written as X-| :A^,...,X n :A n ,... 
where each Xj is a variable and each Aj is a type (0 is the empty assignment). The assignment T.x:A is the same as 
T, except that the variable X is now associated with A. We shall allow T.x:A only in situations where X g dom(T), 
where dom(T) is the domain of T, i.e., it is the set of variables which are defined in T. 

Assignments are used in the next sections to derive typing relations (T h a: A) and equivalence relations (T h 
a <-> b). In each of these cases, when something holds relative to an assignment, it also holds for larger assignments: 

T I- A:Type T I- b:B 

[Extendi] 

T, x:A I- b:B 

T I- A:Type Thaeb 

[Extend 2] 

T, x:A I- aeb 

The relations T h a: A and T h a <-> b are defined in the next section. 



5. Type Inference and Reduction Rules 

Although types and values are mixed, all expressions, whether denoting types or other values, must be well- 
typed. In particular we must be able to determine types for expressions denoting types and computations over types. 

This section defines a set of typing and reduction rules. If an expression can be typed according to the typing 
rules, then it is well-typed. Evaluation (i.e., reduction) may be required during the process of assigning types to 
expressions. In general it is undecidable whether an expression is well-typed. 

The presentation of the rules follows and extends that of Meyer and Reinhold [Meyer 86]. The rules are divided 
into groups; the typing rules describe the typing relations between values and types. There is exactly one typing rule 
for each syntactic class of expressions, plus one rule which is responsible for introducing computation during typing. 
The conversions group adapts the usual conversion rules for untyped A,-calculus to the typed case. The remaining 
two groups are lengthy but uninteresting; they extend the basic conversion relation to a substitutive equivalence 
relation on terms. 
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The first line of assumptions (if any) in each of the rules states the well-formedness of the expressions in the 
second line of assumptions (if any) and in the conclusions. Such well-formedness assumptions are often omitted in 
the presentation of similar inference systems such as Martin-L6f s. 



Typing Rules 

[Assumption] 



T I- A Type 



T, x:A I- x:A 



[Type Formation] 0 I- Type: Type 



[V Formation] 



T I- A Type 
T, x:A h B:Type 

T I- (Vx:A.B): Type 



[V Introduction] 



T 1- A:Type T, x:A I- B:Type 
T, x:A I- b:B 

T 1- (A,x:A. b): (Vx:A.B) 



[V Elimination] 



T I- A:Type T, x:A I- B:Type 
T h a:A T I- b: Vx:A. B 

T I- b(a): B{x^a} 



[3 Formation] 



T I- A Type 
T, x:A I- BType 

T I- (3x:A.B): Type 



[3 Introduction] 



T I- A:Type T, x:A I- BType 
Tha:A T I- b: B{x^a} 

T I- <a, b>: (3x:A.B) 



[3 Elimination] 



T 1- A:Type T, x:A I- BType T,z:(3x:A.B) I- CType 
The: 3x:A.B T, x:A, y:B 1- d: C{z<-<x, y>} 

T I- letx.y = c in d: C{z<-c} 
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[\i Formation] 



T I- A Type 
T, x:A I- a:A 

T I- (ux:A.a) : A 



[Reduction] 



T I- A Type T h B:Type 
T h a:A ThAnB 

T I- a:B 



Conversion Rules 



[P Conversion] 



T I- A:Type T, x:A I- B:Type 
T I- a:A T, x:A I- b:B 

T I- (A,x:A. b)(a) ^ b{x^a} 



[r| Conversion] 



T I- A:Type T, x:A I- B:Type 
T I- b: Vx:A. B 

T I- (A,x:A. b(x)) ^ b 



[a Conversion] 



T I- A:Type T, x:A I- B:Type T,z:(3x:A.B) I- C:Type 
Tha:A T I- b: B{xf-a} T, x:A, y:B I- d: C{z^<x, y>} 

T l- let x,y =<a,b> in d d{x<-a, y<-b} 



[71 Conversion] 



T I- A:Type T, x:A 1- B:Type 
T 1- c:3x:A.B 

T I- <let x,y = c in x, let x,y = c in y> <^ c 



[jj. Conversion] 



T I- A:Type 
T, x:A 1- a:A 



T I- (|ix:A. a) 4-> a{x<-(|ix:A. a)} 



Equality Rules 

[Reflexivity] 



T I- a:A 



T I- a^a 



[Symmetry] 



Y I- a^b 



[Transitivity] 



T I- a^b T I- b<->c 



T I- a<H>c 



Congruence Rules 



[V Formation-C] 



T I- A Type 
T, x:A I- B:Type 
T h AeA' T,x:A h BeB' 

T I- (Vx:A. B) (Vx:A'. B') 



[V Introduction-C] 



T I- A:Type T, x:A I- B:Type 
T, x:A I- b: B 
Th AhA' T, x:A I— b <— > b' 

T I- (A,x:A. b) ^ (A,x:A'. b') 



T I- A:Type T, x:A h B:Type 
T h a:A T I- b: Vx:A. B 
Thaea' Thbnb' 

[V Elimination-C] 

T h b(a)^b'(a') 



T I- A:Type 
T, x:A I- B:Type 
TFAhA' T,x:A h BeB' 

[3 Formation-C] 

T 1- (3x:A. B) ^ (3x:A'. B') 



T I- A:Type T, x:A I- B:Type 
Tha:A T I- b: B{x^a} 
Tha^a' Thbeb' 

[3 Introduction-C] 

T l- <a, b> <r^ <a', b'> 
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T 1- A:Type T, x:A I- B:Type T,z:(3x:A.B) I- C:Type 
The: 3x:A.B T, x:A, y:B \- d: C{zf-<x, y>} 
ThCHc' T, x:A, y:B hd«d' 

[3 Elimination-C] 

T l- let x,y = c in d <-> let x,y = c' in d' 



T 1- A:Type 
T, x:A I- a:A 
ThAnA' T,x:Aha«a' 

[\i Formation-C] 

T I- (|ix:A. a) <-> (jax:A'. a' ) 

Prop (Conversion preserves types) 

If T I- a:A and T h aob then T I- b:A 

6. Examples 

The best way to understand the typing rules is to look at examples and special cases, and this is what we are 
going to do in this section. 

In many situations the constant Type will be omitted, according to the following abbreviations: 

Vx. A = Vx:Type. A 

3x. A = 3x:Type. A 

(ix. A = |ix:Type. A 

A,x. A = A,x:Type. A 

6.1 Functions 

All the common type constants and operators can be defined. We start with the function space operator which 
can be defined as a special case of universal types. The V -introduction rule says that a function Xx:A. b has a 
universal type Vx:A.B, where in general x may occur in B (for example, A,A:Type. A,x:A. x has type 
VAType. Vx:A. A, where the variable A occurs in the body of the outer quantifier). However, if X does not occur in 
B, then X is useless, and we can take A— >B as an abbreviation for Vx:A.B. Now, according to the V-introduction 
rule, some functions can have function types instead of the more general universal types; for example, A,x:A. X has 
type A— >A (which is the same as Vx:A. A). Even better, -> can be defined as a term, as opposed to a metasyntactic 
abbreviation: it is a function which takes two types A and B and returns Vx:A. B (note that X is not free in B as B is 
a variable). The type operator — > is then immediately used to describe its own type, and the Type:Type property is 
put into action: 

= AA. AB. Vx:A. B : Type-H>Type->Type 
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The following inference rules can then be derived from the V rules: 
T I- A:Type T I- B:Type 

[-> Formation] 



[-> Introduction] 



[-> Elimination] 



T I- A^B: Type 



T I- A:Type T I- B:Type 
T, x:A I- b:B 

T I- (Ax:A. b): (A^B) 



T I- A:Type T I- BType 
T h a:A T h b: A^B 

T h b(a): B 



6.2 Basic types 

The type VA. A is called Void as there are no normal-form (n.f.) terms of this type: 

Void = VA. A : Type 

1 = AA. jax:A. x : Void 



Given a value v:Void, we can obtain a value of any type A as v(A), by [V Elimination]; for example _L(Type) Type, 
and _L(_L(Type)): _L(Type). The term _L(A) represents the divergent computation of type A (i.e., a computation which 
was trying to deliver something of type A, but diverged in the process). 

Some useful type constants are Unit (there is a single n.f. term of this type) and Bool (there are two n.f. terms of 
this type): 



Unit = VA. Va:A. A : Type 
unity = AA. Aa:A. a : Unit 



Bool = VA. Va:A. Vb:A. A : Type 
true = AA. Aa:A. Ab:A. a : Bool 
false = AA. Aa:A. Ab:A. b : Bool 

cond = Ac:Bool. AA. Aa:A. Ab:A. c(A)(a)(b) : Bool -> Bool 



We can use the following syntactic sugar for conditionals, where we may want to omit the "both A" type 
information whenever possible. 
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if c then a else b both A 



s cond(c)(A)(a)(b) 



6.3 Pairs 

A cartesian product operator can be defined as a special case of existential types, in the same way in which we 
defined -> as a special case of universal types. An object of type 3x:A. B (where in general X may occur in B) is a 
pair <a,b> where a has type A and b has type B{x<— a}. If X does not occur in B then an object of type 3x:A. B is 
simply a pair <a,b> with a in A and b in B, and we can abbreviate 3x:A. B as A x B. Again, we can define x as a 
term: 



x = AA. AB. 3x:A. B : Type^Type-VType 

pair = AA. AB. Aa:A. Ab:B. <a,b> : VA. VB. A->B->(A x B) 
fst = AA. AB. Ac: A x B. let x,y = c in x : VA. VB. (A x B)->A 
snd = AA. AB. Ac: A x B. let x,y = c in y : VA. VB. (A x B)->B 

split = AA. AB. AC:(A x B^Type). Ac: A x B. Ad: (Vx:A. Vy:B. C(<x,y>)). let x,y = c in d(x)(y) 
: VA. VB. VC:(Ax B->Type). Vc: A x B. Vd: (Vx:A. Vy:B. C(<x,y>)). C(c) 



The usual properties of pair, fst and snd (modulo the heavy typing) hold: 



c = pair(A)(B)(a)(b) 
fst(A)(B)(c) <-» a 
snd(A)(B)(c) <-> b 

pair(A)(B)(fst(A)(B)(c))(snd(A)(B)(c)) <-» c 
We now have the following rules, derivable from the 3 rules: 

T 1- A:Type T I- B:Type 

[ x Formation] 

T I- A x B: Type 



T 1- A:Type T I- BType 
Tha:A T h b:B 

[ x Introduction] 



T I- pair(A)(B)(a)(b): Ax B 
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T h A:Type T I- B:Type T,z:AxBh C:Type 
Thc:AxB Thd: Vx:A. Vy:B. C{z^pair(A)(B)(x)(y)} 

[ x Elimination] 

T h split(A)(B)(Az: A x B. C)(c)(d): C{z^c} 



Alternatively, the cartesian product can be defined using only universal types. The previous rules still hold and 
can be derived from the V rules, except that we can only obtain a weaker form of [ x Elimination]: 

x = AA. AB. VC. (A->B-»C)-» C : TypeH>Type-*Type 

pair = AA. AB. Aa:A. Ab:B. AC. Ac: A->B-4C. c(a)(b) : VA. VB. Ah>B^(A x B) 
fst = AA. AB. Ac: A x B. c(A)(Aa:A. Ab:B. a) : VA. VB. (A x B)^A 
snd = AA. AB. Ac: A x B. c(B)(Aa:A. Ab:B. b) : VA. VB. (A x B)->B 
split = AA. AB. AC:(A x B^Type). Ac: A x B. 

Ad: (Vx:A. Vy:B. C(pair(A)(B)(x)(y))). d(fst(A)(B)(c))(snd(A)(B)(c)) 
: VA. VB. VC:(Ax B^Type). Vc: A x B. Vd: (Vx:A. Vy:B. C(pair(A)(B)(x)(y))). 
C(pair(A)(B)(fst(A)(B)(c))(snd(A)(B)(c))) 



6.4 Unions 

Disjoint unions can also be encoded in terms of universal types only: 



+ = AA. AB. VC. (A^CH (B^C)-> C : Type->Type-*Type 

inl = AA. AB. Aa:A. AC. Af: A^C. Ag: Bh>C. f(a) : VA. VB. A-^(A+B) 

inr = AA. AB. Ab:B. AC. Af: A->C. Ag: B^C. g(b) : VA. VB. Bh>(A+B) 

unioncase = AA. AB. Ac: A+B. AC. A.f:A-»C. Ag:B-^C. c(C)(f)(g) : VA. VB. (A+B)->(A+B) 

The operations inl and inr inject a value in the left or right component of a union. The unioncase operation takes an 
element C of A+B, and calls one of two functions on the projection of C into A or B, as appropriate. For example, the 
operation isl (detecting whether something is in the left component of a union) can be programmed as: 



isl = AA. AB. Ac: A+B. 

unioncase(A)(B)(c)(Bool) 
(Aa:A. true) 
(Ab:B. false) 
: VA. VB. (A+B^Bool 
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Unfortunately, this definition of disjoint unions is not as general as we might want. We would like to have the 
following inference rules: 



[+ Formation] 



[+ Introduction] 



[+ Elimination] 



T I- A Type T I- B:Type 
T I- A+B:Type 



T I- A Type T h B:Type 
Tha:A T I- b:B 

T I- inl(a): A+B T I- inr(b): A+B 



T I- A:Type T I- B:Type T,z:A+B h C: Type 
The: A+B T, a:A I- f: C{z4-inl(a)} T,b:B I- g: C{z<— inr(b)} 

T l- (unioncase c of I => a.f , r => b.g) : C{z<-c] 



These rules (in particular, [+ Elimination]) cannot be derived, and have to be taken as primitives. Given that we 
have to introduce new primitives, it is more convenient to introduce n-ary disjoint unions instead of binary ones. The 
constructors in I and inr are now replaced by a countable set S of constructors which, for convenience, we take to be 
identifiers (the syntactic context will allow us to distinguish them from identifiers used as variables). N-ary union 
types are denoted by [s-j :A-| , ... , S n :A n ], where here and in the following rules we assume s-\, S n e S. 
Moreover, we identify union types up to reordering of their components, and case expressions up to reordering of 
their branches. 



[[] Formation] 



T hA^Type ... T I- A n :Type 
T h [s^A v ... ,s n :A n ] : Type 



T hAi:Type ... T I- A n :Type 
T I- a:A| 

[[] Introduction] i e {1 , ... , n} 

T h [s P a] -.[syA-i, ... , s n :A n ] 

T hA^Type ... T I- A n :Type T, z:[s-j:A-|, ... , s n :A n ] I- C: Type 
T h c:^:^, ... ,s n :A n ] 
T, a^A-j I- C{z<-[s-j=a-|]} ... Y, a n :A n I- f n : C{z<-[s n =a n ]} 

[[] Elimination] 

T l- (case c of s-| => a-\ . f-| , ... , s n => a n . f n ) : C{z^c} 

The semantics of these types is not treated later in the paper. However, disjoint unions have important 
applications, and we describe some of them in the following subsections. 
Binary disjoint unions can now be defined by taking: 
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A+B = [inl:A, inr:B] 



6.5 Finite sets 



Finite sets (also called enumeration types) can now be defined as a degenerate form of n-ary unions: 



[S-|, ... , S n ] 



= [s-| :Unit, ... , s n :Unit] 
= [Sj= unity] 



Si 



6.6 Dependent conditionals 

A dependent conditional is one in which the types of the then and else branches may differ. Its type is then 
dependent on the test value. We want: 

if x then 3 else true : if x then Int else Bool 

An operator of this kind can only be defined by using disjoint unions: 

Bool = [true.false] 

true = |true| 

false = |false| 

if a then b else c = case a of true => x.b, false => x.c (x e b,c) 

It is now possible to check that the dependent conditional example above is well-typed. 

6.7 Records 

Again using n-ary unions, we can define unordered labeled cartesian products, that is records (here b,X £ a-|, 



... , a n , A-|, ... , A n ): 



{s-jiAi,... ,s n :A n } = Vb: [s-|, ... ,s n ]. case b of s-| => x.A-| , ... , s n =>x.A n 
{si=a-|,... ,s n =a n } = Ab: [s-|, ... ,SfJ. case b of s-| => x.a-| , ... , s n => x.a n 



a.s 



= a(|s|) 



It is now possible to deduce that, for example: 
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{a = 3, b= true} : {a : Int, b: Bool} 



Note also that these record types are more flexible than ordinary record types in programming languages: field 
selection can be expressed as a(b) where a is a record and b is a selector that does not have to be statically known. 

6.8 Recursion 

Types can be defined by recursion. An element of List(A) (lists whose elements have type A), is either the 
empty list (of type Unit) or a pair of an A (the head of the list) and, recursively, a List(A) (the tail of the list). 

List = AA. nB. Unit + (A x B) : Type^Type 

nil = AA. inl(Unit)(AxList(A))(unity) : VA. List(A) 

cons = AA. Ax:A. Ay:List(A). inr(Unit)(AxList(A))(pair(A)(List(A))(x)(y)) 

: VA. A— >List(A)— >List(A) 
listcase = AA. AC. Ac: List(A). Af:Unit-^C. Ag:(Axl_ist(A))H>C. 
case(Unit)(AxList(A))(C)(c)(f)(g) 
: VA. VC. List(A)->(Unit-^C)^(AxList(AHC)^C 

Natural numbers can be defined as List(Unit), which is the same as oB. Unit + (Unit x B). 

Nat = List(Unit) : Type 
0 = nil(Unit) : Nat 

succ = An:Nat. cons(Unit)(unity)(n) : Nat^Nat 

pred = An:Nat. listcase(Unit)(Nat)(n)(Aa:Unit. 0)(Aa:UnitxNat. snd(Unit)(Nat)(a)) : Nat^Nat 
zero = An:Nat. listcase(Unit)(Bool)(n) (Aa:Unit. true) (Aa:UnitxNat. false) : Nat^Bool 

Alternatively, the list type can be defined as: 

List = (iB: Type^Type. AA. Unit + (A x B(A)) : Type-^Type 

6.9 Self-describing objects 

If we have a type A and an object a of that type, we can form the (dependent) pair <A,a>. Such a pair has type 
3A. A, and since any object which has a type can be so treated, 3A. A is also called Any: 

Any = 3A. A : Type 

any = AA. Aa:A. <A,a> : VA. A->Any 
typeof = Aa:Any. let x,y = a in x: Any->Type 
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valueof = Aa:Any. let x,y = a in y :Va:Any. typeof(a) 



If we have an object a of type Any we really have no information about it, because it can be anything. But such an 
object has its own type information with it, and this can be extracted by the typeof(a) operation. It is also possible to 
extract the value by valueof(a), whose type is typeof(a). 

6.10 Dependent pairs 

The typeof and valueof operations can be generalized to arbitrary existential types. In their general form they 
are known as the left projection and right projection of a dependent product: 

Ift = AA. AB:A->Type. Ac: (3x:A. B(x)). let x,y = c in x 

: VA. VB: A-^Type. Vc: (3x:A. B(x)). A 
rht = AA. AB:A->Type. Ac: (3x:A. B(x)). let x,y = c in y 

: VA. VB: A-^Type. Vc: (3x:A. B(x)). B(lft(A)(B)(c)) 



6.77 Data abstraction 

Following Mitchell and Plotkin [Mitchell 85], it is possible to treat abstract types as existential types, given 
operators for building and examining objects of existential types [Girard 71]. We consider here a pack operator, 
which packages an object so that it has an existential type (and hides some type information which is usually 
interpreted as the representation of the abstract type), and an open operator, which allows one to open and use a 
package without getting access to the representation. See examples in [Cardelli 85]. 

pack = AA:Typen>Type. AB. Aa:A(B). <B,a> 

: VA:Type-»Type. VB. Va:A(B). 3C. A(C) 
open = AA:Type^Type. AB. Aa:(3C. A(C)). Af:(VD. Va:A(D). B). let x,y = a in f(x)(y) 

: VAType^Type. VB. Va:(3C. A(C)). Vf:(VD. Va:A(D). B). B 

Abs = AA. Ax(A->Nat) : Typen>Type 
AbsType = 3A. Abs (A) : Type 

a = pack(Abs)(Nat)(pair(Nat)(Nat^Nat)(3)(succ)) : AbsType 

open(Abs)(Bool)(a)(AD. Aa:Abs(D). zero(snd(D)(D^Nat)(a)(fst(D)(D-^Nat)(a))) <-> false 
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6.12 More on dependent types 

It is interesting to notice that two terms n and E can be defined which are essentially equivalent to the V and 3 
constructs respectively. 

n = AA. AB:A->Type. Va:A. B(a) : VA. VB:A->Type. Type 

E = AA. AB:A->Type. 3a:A. B(a) : VA. VB:A^Type. Type 
pair = AA AB:A-»Type. Aa:A. Ab:B(a). <a,b> 
: VA. VB:A->Type. Va:A.B(a)->E(A)(B) 
unpair = AA. AB:A^Type. AC:(E(A)(B)^Type). Ac:E(A)(B). Ad: (Va:A.Vb:B(a). C(<a,b>)). 
let x,y = c in d(x)(y) 

: VA. VB:A-^Type. VC:(E(A)(B)^Type). Vc:E(A)(B). Vd: (Va:A.Vb:B(a). C(<a,b>)). C(c) 
Ift = AA. AB:A-VType. Ac: E(A)(B). unpair(A)(B)(Ax:E(A)(B). A)(c)(Aa:A. Ab:B(a). a) 

: VA. VB: A^Type. Vc: E(A)(B). A 
rht = AA. AB:A->Type. Ac: E(A)(B). unpair(A)(B)(Ax:E(A)(B). B(lft(A)(B)(x)))(c)(Aa:A. Ab:B(a). b) 

: VA. VB: A^Type. Vc: E (A)(B). B(lft(A)(B)(c)) 

Generalizing the way we defined cartesian product in terms of universal types only, we can attempt to define E 
without using existential types. This plan however fails; here is the best we can do [Martin-L6f 7 1 ] : 

E' = AA. AB:A->Type. VC. (Va:A.B(a)^ C)h> C : VA. VB:A->Type. Type 
pair' = AA. AB:A^Type. Aa:A. Ab:B(a). AC. Ac: (Va:A.B(a)^ C). c(a)(b) 

: VA. VB:A^Type. Va:A.B(a)^E'(A)(B) 
unpair' = AA. AB:A^Type. AC. Ap:E'(A)(B). Aq: (Va:A.B(aH C). p(C)(q) 

: VA. VB:A^Type. VC. E'(A)(B)h> (Va:A.B(a)-> C)-» C 

The problem is that unpair' is not as flexible as unpair, as its result type (C) cannot be made dependent. Using 
unpair' we can define a version of Ift, but the corresponding version of rht is not typeable: 

Iff = AA. AB:A->Type. Ac: E'(A)(B). unpair'(A)(B)(A)(c)(Aa:A. Ab:B(a). a) 

= AA. AB:A->Type. Ac: E'(A)(B). c(A)(Aa:A. Ab:B(a). a) 

: VA. VB: A-VType. Vc: E'(A)(B). A 
rht' = AA. AB:A->Type. Ac: E'(A)(B). unpair'(A)(B)(B(lft(A)(B)(c)))(c)(Aa:A. Ab:B(a). b) wrong! 

: VA. VB: A^Type. Vc: E'(A)(B). B(lft(A)(B)(c)) 
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The right projection of a pair is very useful for defining the Any type and the parametric modules operators in 
[MacQueen 86]. Thus we have existential types as a primitive construct. 

7. The meaning of Type 

A type is, in first approximation, a retraction [Scott 76]. A retraction is similar to a coercion, as we can see from 
the following example of a boolean retraction (in the untyped A,-calculus): 

Bool = A,x. if x then true else false 

This retraction coerces an arbitrary object X to true or false (or diverges if X diverges). Note that booleans are not 
affected by this coercion, while non-booleans are mapped to booleans. A retraction maps the whole domain of 
values to a subdomain (called a retract) whose elements are all fixpoints of the retraction (e.g. Bool(true) = true). 
Hence, retracting twice is the same as retracting once, for example Bool(Bool(x)) = Bool(x), which can be written 
Bool o Bool = Bool. The latter is taken as the defining property of retractions: 

r is a retraction iff r ° r = r 

d is a type iff it is a retract (the image of a retraction) 

a has type r (written a:r), where r is a retraction, iff r(a) = a 

It is possible to define retractions for function spaces, cartesian products, etc., and the definitions are given in 
the following section. Consider now the function: 

d = Ai. r o r 

All retracts are fixpoints of d, hence d defines the set of all retracts. Is such a set a retract? Unfortunately not, andd 
itself is not a retraction (it does not satisfy d o d = d). Hence the set of all (retractions determining) types is not a 

type. 

Retractions fail to satisfy Type:Type, but not by much. If we consider particular classes of retractions, then we 
can achieve Type:Type. The basic idea is still valid: a type is determined by a coercion operation, which is itself a 
value which can be manipulated. In this slightly indirect sense types are values, and the indirection avoids the 
paradoxes connected with Type:Type. 
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8. The A,x-calculus 

We axiomatize a general class of models of the type-free A-calculus with pairing and retractions having the 
desired properties [Amadio 85]. These are called models of the APcTtX-calculus, or simply Ax -calculus. Expressions 
of the Ax-calculus have the form: 

e ::= 

i I 
* I 

Ax. e | e(e) | 

<e, e> | let i , i = e in e 

First we need some definitions: 

f o g = Ax. f(g(x)). 

fst(p) = let x,y = p in x 

snd(p) = let x,y = p in y 

n(A)(B) = Af. Ax. B(A(x))(f(A(x))) 

E(A)(B) = Ap. <A(fst(p)), B(A(fst(p)))(snd(p))> 

Y = Af. (Ax. f(x(x)))(Ax. f(x(x))) 

The following are the axioms: 



[P] 


(Ax. a)(b) 


= a{x<-b} 


[°] 


let x,y = <a,b> in c 


= c{x<-a, y<-b} 


M 


<fst(c), snd(c)> 


= c 


M 


T(X) 


= X 


[xa] 


x(a) o x(a) 


= x(a) 


[xll] 


x(H(x(A))(x o B)) 


= n(x(A))(x o B) 


[xE] 


x(E(x(A))(x o B)) 


= £(x(A))(x o B) 


[xY] 


x(A)(Y(x(A) o a o x(A))) 


= Y(x(A) o a o x(A)) 



From the [x] and [xa] axioms it follows that x = X ° X. 



Def a: A iff A(a) = a 



The intended meaning of x is obviously to serve as the type of all types, including itself: 
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Prop (Type formation) 
x: x 

The function space closure operation A— >B takes any function f and coerces its arguments to A and its results to 
B, hence coercing f to A— >B: 

Def A-^B = A,f . B ° f ° A 
Prop 

A:x, B:x => A^B: x 

The -> operator is a special case of the dependent product operator II: 

Prop (II formation) 

A: x, B: A-^x => n(A)(B): x 

The cartesian product of two types AxB takes any pair p and coerces its left component to A and its right 
component to B, hence coercing p to AxB: 

Def AxB = Xp. <A(fst(p)),B(snd(p))> 
Prop 

A:x,B:x => AxB:x 

Cartesian products can be generalized to dependent sums E: 

Prop (E formation) 

A:x, B:A->x => E(A)(B):x 

The fixpoint operator satisfies the property: 

Prop (Y formation) 

A:x, a:A^A => Y(a):A 

and it can be used for recursive type definitions: 
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Corollary 

A:xh>x => Y(A):x 



Several models of the A,X-calculus are known [Scott 76] [McCracken 86] [Amadio 85] . 

9. Semantics 

The denotational semantics of our calculus can now be given easily in any model M of the A,x-calculus. Here p 
is an environment mapping variables to elements of M, and V is a function mapping terms and environments to 
elements of M. The environment p{x <— v} is the same as p, except that X is associated to V; p(x) is the element 
associated to X in p. 



To show that the semantics is in some sense correct, we want to relate it to the type inference system. In fact we 
are only interested in the semantics of well-typed terms, while V gives semantics to all terms. The main result is 
hence a soundness theorem stating that the semantics of a well-typed term is semantically related to the semantics of 
its inferred type. 

First, we prove a set of propositions which are the semantic versions of the introduction and elimination type 
inference rules: 

Prop (II introduction) 



VMp 
VITypelp 
VIXx: a. bl p 
l/Ia(b)lp 
l/[Vx:A. B]p 
Vl<a,b>lp 
Vllet x,y = a in b] p 
VBx-A. Bfl p 
Vlpx:A. alp 



= h/.VMp{x<-{Vlalp){v)} 

= (VIa]p)(VIb]|p) 

= n(VIA]]p)(Av. VIB]]p{x<-v}) 

= <VMp,VMp> 

= VM p{x «- fst(V M p), y «- snd( Vial p)} 

= E(\/IA]p)(A,v. VlBlp{xi-y}) 

= Y(Vllx:A. alp) 



P(x) 



A: x, B: A-> x, (Vx. x:A b(x):B(x)) => Xx. b(A(x)) : n(A)(B) 



Prop (II elimination) 



A:x, B: A^x, a: A, b:n(A)(B) => b(a) : B(a) 



Page 21 



Prop (E introduction) 

A: t, B: x, a: A, b: B(a) => <a,b>: E(A)(B) 

Prop (E elimination) 

A: x, B: A-» x, C: E(A)(B)->t, 
c: E(A)(B), (Vx. Vy. x:A , y:B(x) => d(x)(y):C(<x,y>)) 
=> let x,y = c in d(x)(y) : C(c) 

Lemma (substitution) 

Vlb{x^a}l p=VM p{x4-\/Ia]p} 

Def 

T is type compatible with p if for all X in the domain of T, T(x) = A implies pM : VlAl p', 
where p ep and the domain of p' includes all the free variables of A. 

Theorem (semantic soundness) 

If T is type compatible with p, then: 

(i) Tha:A => Vlalp : VIM p 

(ii) Thbec^ VMp = Vlclp 

Semantic soundness is normally stated as (i) alone. However, type inference is mixed here with reduction, and 
as a part of showing (i) one must show that reductions are well behaved; moreover, one needs (i) in proving (ii). 

A deeper reason for including (ii) in the statement of the theorem (as opposed to having it as a separate theorem) 
is the following. In a retraction semantics the conclusion of (i) may be true even if the premise is false: for example, 
a = (A,x:Bool. x)(3) : Bool, as the Bool retraction maps 3 to a boolean. Hence (i) alone leaves open the possibility 
that the type inference system is somehow "incorrectly" defined so that a is well typed and (i) still holds. But, in the 
example, a reduces to 3, whose denotation (an integer) is generally different from a's (a boolean). Hence (ii) does 
not hold for such an incorrect type system. This inadequacy of (i) does not arise in Milner's definition of soundness 
for a semantics not based on retractions [Milner 78]; hence (ii) is incorporated to make the "semantic soundness 
theorem" closer to its original significance. 

10. Expressing other type systems 

Our calculus can be regarded as an co-order typed A,-calculus; hence it is very easy to encode the second-order 
typed A,-calculus, which in turn can be used as a foundation for the type systems of Russell and ML [Milner 84]. 
Using Reynolds' notation: 
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A,a:A. b = A,a:A. b (value abstraction) 

a(b) = a(b) (value application) 

AA. a = AA:Type. a (type abstraction) 

a[A] = a(A) (type application) 

-> s -> (function types) 

AA.B = VA:Type. B (polymorphic types) 



The language used in the ideal model of types [MacQueen 84a], which is the basis for the Standard ML modules 
and type system [MacQueen 84b], can also be easily expressed: 



Xa:A. b 


= Xa:A. b 


(value abstraction) 


a(b) 


= a(b) 


(value application) 


-> 


- -> 


(function types) 


X 


= X 


(product types) 


+ 


= + 


(union types) 


VA.B 


= VA:Type. B 


(universal types) 


3A.B 


= 3 A Type. B 


(existential types) 


-> 


= -> 


(function kinds) 


X 


= X 


(product kinds) 



where the structure of kinds is pushed down at the type level. 

The Pebble type system is not as easy to encode, due to notation peculiarities, although it is clear that there are 
the following rough correspondences: 



type <-> Type (the type of all types) 

-» <-> V (dependent function types) 

xx <h> 3 (dependent product types) 



Moreover, existential types can be used to simulate Pebble's bindings and declarations. A binding is an 
association of values to variables, and a declaration is an association of types to variables. The type of a binding is a 
declaration. Each variable in a binding or declaration can be used in the definition of the following variables: 



[A:type~int, a:A~3, b:int~a+1]: (A:type) xx (a:A) xx (b:int) 
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Examples will illustrate the translation from bindings to typed terms in our calculus. Bindings are translated to 
nested pairs, and the variable names are lost in the process; hence we perform substitutions if a variable is used in 
later bindings. Declarations are translated to existential types, and the variable names are retained. 



nil : void 



= unity : Unit 

= <3,unity> : 3a:lnt. Unit 



[a:int~3] : (a:int) 



[a:int~3, b:int~a+1] : (a:int) xx (b:int) = <3,<3+1 ,unity» : 3a:lnt. 3b:lnt. Unit 
[A:type~int, a:A~3] : (A:type) x x (a:A) = <lnt,<3,unity» : 3A. 3a:A. Unit 

A binding b can be opened in a scope by a let-in construct. The binding b can be a parameter, and hence 
unknown, but its type is sufficient to carry out the translation: 



where b-| and b2 are the appropriate terms (defined by rip) selecting the first and second components of b. 

Finally, the relations with the theory of constructions [Coquand 85a] are very interesting, and are investigated in 
[Amadio 86]. 

11. Conclusions 

Intuitionistic type theory provides powerful proof systems, based on the proposition-as-type (proof-as-program) 
isomorphism, which are very promising for program verification. Such systems work only under the assumption that 
programs always terminate, since proofs must terminate. Hence, general recursion and unbounded iteration are 
initially banned, as well as the Type:Type property which leads to logic inconsistencies in the form of non- 
terminating proofs. 

While it is true that most ordinary programs are total, at the current state of knowledge it is unthinkable to ask 
programmers to constrain themselves to bounded iterations. Moreover, computer systems require possibly divergent 
programs for routine functioning, hence total programming languages cannot cover interesting aspects of 
programming. The retrofitting of recursion into type theory is being actively pursued [Backhouse 84, Constable 83, 
Constable 84, Paulson 84] and these problems may be solved in the future. 

If our position is instead to admit divergent computations from the start, then the proposition-as-type paradigm 
can be recast as a powerful type system (no longer a logic) which is not incompatible with the Type :Type property. 
Although this position is conceptually divergent from intuitionistic type theory, it is a natural extension of work on 
programming language type systems, and adds to the impression that logic, program verification, and type systems 
for practical languages are on a collision course. 



let b : (A:type) x x (a:A) in ...A.. .a... 



(AAType. Aa:A. ...A.. .a... ) (b-|) (b 2 ) 
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